General Data Protection Regulation (GDPR) of the EU and its effects on the internet

The General Data Protection Regulation (GDPR) is a regulation of the European Union, which applies to all member states since 25 May 2018. It regulates the processing of personal data.

The GDPR is technologically neutral. Due to the special circumstances on the internet, additional regulations were issued. This includes for example the ePrivacy Directive. In its second version it was also referred to as Cookie Directive.

For the internet and websites, the GDPR is particularly relevant because IP addresses are personal data (see judgments of the ECJ and BGH). Data processing already occurs with a data collection at possible knowledge of an addressee mentioned by an offeror.

So every call of a website is an operation that falls under the jurisdiction of the GDPR. Every operator of a website has to submit to the GDPR. Many do this reluctantly or not at all, as can be seen for example in the use of illegal consent tools.

However, it should be noted that IP addresses were already personal data before the GDPR came into effect. The BDSG (German privacy law) was simply not consistently applied. In this context, it has been mentioned that some data protection supervisory authorities in Germany do not exactly shine with excessive activity (greetings especially to Hesse).

For websites, therefore, some consequences arise, including:

• Obtaining consent prior to carrying out specific data processing operations
• Explanation of data processing operations performed in the Data Protection Declaration and on consent requests
• Notification of rights of those affected in the data protection declaration
• Notification of a responsible person in the data protection declaration
• Accessibility of the data protection statement from every subpage (with a maximum of two clicks)
• Continuous control by data protection supervisory authorities possible
• In cases of data protection violations, fines are threatened

What is data processing?

The answer is given Article 4 GDPR. Brief summary by me: Almost any form of providing personal data to third parties is considered data processing, regardless of whether actual processing actually takes place. This definition is sensible because no third party can prove the following process:

1. Website W provides a link (URL) to user data through Tracking (tracking the URL by a tracker) to service provider D
2. Service provider D retrieves the received URL
3. Service provider D evaluates the extracted content

Article 4 of the GDPR states under point 2:

In the sense of this regulation, the term means:

Processing" every operation or series of operations carried out with or without the aid of automated processes on personal data such as collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, inquiry, use, disclosure by transmission, distribution or other form of provision, comparison or linking, restriction, deletion or destruction;

Article 4, Section 2 of the GDPR

Whoever shares a URL through Tracking with third parties that represents a link to personal data of another person, enables the processing of this data and probably violates Art. 32 GDPR (Security of Processing), in particular:

…take suitable technical and organisational measures by the responsible person and the processor, in order to… ensure the ability, confidentiality, integrity, availability and robustness of systems and services related to processing on a lasting basis

Excerpts from Article 32, Paragraph 1 of the GDPR

Data processing begins as soon as data is collected. I looked closer at data collection. As soon as a server receives a request based on an offer (such as a website) and does not block it, there is data processing! As soon as you have a letter in your mailbox that someone has sent to you based on your offer, you collect the data in the letter (unless your mailbox catches fire shortly after receiving the letter etc.)

Key articles of the GDPR

When evaluating questions about data protection on websites, the following articles are always involved:

• Article 4 GDPR: General Definitions, such as what constitutes personal data
• Article 5 GDPR: Principles of processing personal data. In particular, this refers to data minimization. In practice, this means a ban on using Google Fonts that are loaded from the Google server (requesting consent for fonts makes little sense). Solution: Embed fonts locally
• Article 6 GDPR: Legal bases. Especially important: Is a legitimate interest present?
• Article 7 GDPR: Conditions for a consent by a user
• Article 12 GDPR: Transparent, simple and understandable information. Good luck describing data processing by the Google conglomerate. Best not to use any Google tools or provide a comprehensive description of possible dangers
• Article 13 GDPR: Information obligations. This also leads to the necessity of a Data Protection Declaration and the Statement of Purposes of Cookies
• Article 15 GDPR Right to Information of affected persons including Complaints right at an authority supervising
• Article 26 GDPR: Joint Responsibility of two data processors working together
• Article 30 GDPR: Register of Processing Activities
• Article 32 GDPR: Security of processing
• Article 44ff GDPR: Principles of data transmission. Especially important for data transfers to the US (Google tools etc.)

Selected topics on websites

For websites, the use of services known as tools is a data protection lawfully relevant process. I have written a series of contributions on this topic and would like to recommend the following in particular:

• Cookies: Fundamentals
• Cookie Popups: Five reasons why they are unreliable and will always be so
• Consent Tools: Practice Test
• The Google Tag Manager is consent required
• Google Analytics in its different configurations is consent-based